Certification+of+information+security%3A+Protect+your+most+important+asset

It is impossible to calculate the business risk of inadequate information security; addressing this, BS 7799, the new Information Security Management System (ISMS) certification, controls the risk and enhances security.

Print this page Save as PDF
Increasingly, organisations and their information systems are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire and flood. Inger Nordin, DNV project manager for BS 7799 certification, points out that computer viruses, computer hacking and denial - of - service attacks have become more common, more ambitious and increasingly sophisticated. Passwords, hospital records, pictures of prototypes and other sensitive information are found illegally on the Internet. And not to be forgotten - your employees are moving to your competitors. No matter how a companys data is stored or used - on paper, electronically, spoken or any other means - it should be suitably protected.

There are several aspects affecting information security:

  • Confidentiality - users must only have access to information they are authorised to see;
  • Integrity - safeguarding the accuracy and completeness of information and processing methods;
  • Availability - information is available, in the correct context, when required by authorised users.

BS 7799 protects information
The unimaginable amount of data available today has raised the need for a comprehensive standard covering information security. Says Nordin, BS 7799 was developed as a result of industry, government and commerce calling for a common framework to enable companies to develop, implement and measure effective security practice.

The following steps are needed before certification:

  1. State an Information Security Policy
  2. Define a Scope Statement
  3. Conduct a Risk Analysis
  4. Derive a Statement of Applicability
  5. Design and implement an ISMS.

The ISMS that the company has implemented, based on the identification of risks facing it, is audited in a similar way to other management systems such as ISO 9000 and ISO14001.

Management has always followed up financial issues, continues Nordin. The past years management systems in quality, environment and health and safety have been implemented and followed up by management since those questions have become more important. Now that the time for information security management has come, it does not mean that the company needs to create yet another management system. An integrated business management system can serve.

Nordin points out that a BS 7799 ISMS certificate may be of most interest to business partners who entrust information into the custody of the certificated organisation. It will also affect the management of the company itself, to demonstrate adherence to good security practice.

Svein Inge Leirgulen

Date: 15 February 2000

Downloads

>>